Page tree
Skip to end of metadata
Go to start of metadata

OAuth2 (and any other bearer token protocols) have an issue with potential token misuse, from theft, MITM (man in the middle) and hijacking.  Proof of Possession (PoP) is a mechanism to bind a bearer token to a particular user/device, in order to prevent misuse by a 3rd party.

This session discussed user to token binding via PKI.

  • Augments traditional OAuth2 token flows

  • Requires no changes to existing flows
  • AM as an authorization service, will issue "signature" access_tokens
    • the access_token becomes specific to the user it is being issued to 
    • leverages a new claim called the cnf_key (confirmation key)
    • this cnf_key is the base64 encoded JWK (JSON Web Key) public key of the requesting client
    • token introspection now includes the cnf_key component


  • When token is presented to resource server, RS can pull out the cnf_key and use that to generate a challenge-response mechanism
  • This CR, would require a response to prove that possession of the corresponding private key
    • eg RS encrypts a basic maths question (increment random large number by 1)
    • client needs private key to decrypt message - successfully decrypts and sends response signed or encrypted with private key back to RS
    • RS can verify private key based response due to having access to public key


  • CR mechanisms require more steps
  • Challenge response isn't described in specs - many ways to implement
  • Not all requests will need to use PoP due to extra hops involved
  • Provides an extra security option


Use links:



  • No labels